gnutls_x509_crt_get_issuer_dn ()

This function will copy the name of the Certificate issuer in the
provided buffer. The name will be in the form
"C=xxxx,O=yyyy,CN=zzzz" as described in RFC4514. The output string
will be ASCII or UTF-8 encoded, depending on the certificate data.

gnutls_x509_crt_get_issuer_dn_by_oid ()

This function will extract the part of the name of the Certificate
issuer specified by the given OID. The output, if the raw flag is not
used, will be encoded as described in RFC4514. Thus a string that is
ASCII or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is (0), this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC4514 --
in hex format with a '#' prefix. You can check about known OIDs
using gnutls_x509_dn_oid_known().

If buf is null then only the size will be filled. If the raw_flag
is not specified the output is always null terminated, although the
buf_size will not include the null character.

gnutls_x509_crt_get_dn ()

This function will copy the name of the Certificate in the provided
buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
described in RFC4514. The output string will be ASCII or UTF-8
encoded, depending on the certificate data.

gnutls_x509_crt_get_dn_by_oid ()

This function will extract the part of the name of the Certificate
subject specified by the given OID. The output, if the raw flag is
not used, will be encoded as described in RFC4514. Thus a string
that is ASCII or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is (0), this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC4514 --
in hex format with a '#' prefix. You can check about known OIDs
using gnutls_x509_dn_oid_known().

If buf is null then only the size will be filled. If the raw_flag
is not specified the output is always null terminated, although the
buf_size will not include the null character.

gnutls_x509_crt_check_hostname ()

This function will check if the given certificate's subject matches
the given hostname. This is a basic implementation of the matching
described in RFC2818 (HTTPS), which takes into account wildcards,
and the DNSName/IPAddress subject alternative name PKIX extension.

gnutls_x509_crt_get_key_id ()

This function will return a unique ID that depends on the public
key parameters. This ID can be used in checking whether a
certificate corresponds to the given private key.

If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned. The output will normally be a SHA-1 hash output,
which is 20 bytes.

crt :

Holds the certificate

flags :

should be 0 for now

output_data :

will contain the key ID

output_data_size :

holds the size of output_data (and will be
replaced by the actual size of parameters)

Returns :

In case of failure a negative error code will be
returned, and 0 on success.

gnutls_x509_crt_get_authority_key_id ()

This function will return the X.509v3 certificate authority's key
identifier. This is obtained by the X.509 Authority Key
identifier extension field (2.5.29.35). Note that this function
only returns the keyIdentifier field of the extension and
GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains
the name and serial number of the certificate. In that case
gnutls_x509_crt_get_authority_key_gn_serial() may be used.

gnutls_x509_crt_get_serial ()

This function will return the X.509 certificate's serial number.
This is obtained by the X509 Certificate serialNumber field. Serial
is not always a 32 or 64bit number. Some CAs use large serial
numbers, thus it may be wise to handle it as something uint8_t.

If an otherName OID is known, the data will be decoded. Otherwise
the returned data will be DER encoded, and you will have to decode
it yourself. Currently, only the RFC 3920 id-on-xmppAddr SAN is
recognized.

gnutls_x509_crt_get_subject_alt_name2 ()

This function will return the alternative names, contained in the
given certificate. It is the same as
gnutls_x509_crt_get_subject_alt_name() except for the fact that it
will return the type of the alternative name in san_type even if
the function fails for some reason (i.e. the buffer provided is
not enough).

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

oid :

is the place where the otherName OID will be copied to

oid_size :

holds the size of ret.

Returns :

the alternative subject name type on success, one of the
enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
e.g. GNUTLS_SAN_OTHERNAME_XMPP, and GNUTLS_SAN_OTHERNAME for
unknown OIDs. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if
ian_size is not large enough to hold the value. In that case
ian_size will be updated with the required size. If the
certificate does not have an Alternative name with the specified
sequence number and with the otherName type then
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.

If an otherName OID is known, the data will be decoded. Otherwise
the returned data will be DER encoded, and you will have to decode
it yourself. Currently, only the RFC 3920 id-on-xmppAddr Issuer
AltName is recognized.

gnutls_x509_crt_get_issuer_alt_name2 ()

This function will return the alternative names, contained in the
given certificate. It is the same as
gnutls_x509_crt_get_issuer_alt_name() except for the fact that it
will return the type of the alternative name in ian_type even if
the function fails for some reason (i.e. the buffer provided is
not enough).

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

ret :

is the place where the otherName OID will be copied to

ret_size :

holds the size of ret.

Returns :

the alternative issuer name type on success, one of the
enumerated gnutls_x509_subject_alt_name_t. For supported OIDs, it
will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
e.g. GNUTLS_SAN_OTHERNAME_XMPP, and GNUTLS_SAN_OTHERNAME for
unknown OIDs. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if
ret_size is not large enough to hold the value. In that case
ret_size will be updated with the required size. If the
certificate does not have an Alternative name with the specified
sequence number and with the otherName type then
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.

Since 2.10.0

gnutls_x509_crt_get_ca_status ()

This function will return certificates CA status, by reading the
basicConstraints X.509 extension (2.5.29.19). If the certificate is
a CA a positive value will be returned, or (0) if the certificate
does not have CA flag set.

pointer to output integer indicating CA status, may be NULL,
value is 1 if the certificate CA flag is set, 0 otherwise.

pathlen :

pointer to output integer indicating path length (may be
NULL), non-negative error codes indicate a present pathLenConstraint
field and the actual value, -1 indicate that the field is absent.

Returns :

If the certificate is a CA a positive value will be
returned, or (0) if the certificate does not have CA flag set. A
negative error code may be returned in case of errors. If the
certificate does not contain the basicConstraints extension
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

gnutls_x509_dn_oid_known ()

This function will inform about known DN OIDs. This is useful since
functions like gnutls_x509_crt_set_dn_by_oid() use the information
on known OIDs to properly encode their input. Object Identifiers
that are not known are not encoded by these functions, and their
input is stored directly into the ASN.1 structure. In that case of
unknown OIDs, you have the responsibility of DER encoding your
data.

In case multiple same OIDs exist in the extensions, this specifies which to send. Use (0) to get the first one.

buf :

a pointer to a structure to hold the name (may be null)

buf_size :

initially holds the size of buf

critical :

will be non-zero if the extension is marked as critical

Returns :

On success, GNUTLS_E_SUCCESS (0) is returned,
otherwise a negative error code is returned. If the certificate does not
contain the specified extension
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

gnutls_x509_crt_get_extension_info ()

This function will return the requested extension OID in the
certificate, and the critical flag for it. The extension OID will
be stored as a string in the provided buffer. Use
gnutls_x509_crt_get_extension_data() to extract the data.

If the buffer provided is not long enough to hold the output, then
oid_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be
returned. The oid returned will be null terminated, although
oid_size will not account for the trailing null.

gnutls_x509_crt_set_dn_by_oid ()

This function will set the part of the name of the Certificate
subject, specified by the given OID. The input string should be
ASCII or UTF-8 encoded.

Some helper macros with popular OIDs can be found in gnutls/x509.h
With this function you can only set the known OIDs. You can test
for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
not known (by gnutls) you should properly DER encode your data,
and call this function with raw_flag set.

gnutls_x509_crt_set_issuer_dn_by_oid ()

This function will set the part of the name of the Certificate
issuer, specified by the given OID. The input string should be
ASCII or UTF-8 encoded.

Some helper macros with popular OIDs can be found in gnutls/x509.h
With this function you can only set the known OIDs. You can test
for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
not known (by gnutls) you should properly DER encode your data,
and call this function with raw_flag set.

Normally you do not need to call this function, since the signing
operation will copy the signer's name as the issuer of the
certificate.

gnutls_x509_crt_set_proxy_dn ()

This function will set the subject in crt to the end entity's
eecrt subject name, and add a single Common Name component name
of size sizeof_name. This corresponds to the required proxy
certificate naming style. Note that if name is NULL, you MUST
set it later by using gnutls_x509_crt_set_dn_by_oid() or similar.

gnutls_x509_crt_print ()

This function will pretty print a X.509 certificate, suitable for
display to a human.

If the format is GNUTLS_CRT_PRINT_FULL then all fields of the
certificate will be output, on multiple lines. The
GNUTLS_CRT_PRINT_ONELINE format will generate one line with some
selected fields, which is useful for logging purposes.

The X.509 distinguished name is a sequence of sequences of strings
and this is what the irdn and iava indexes model.

Note that ava will contain pointers into the dn structure, so you
should not modify any data or deallocate it. Note also that the DN
in turn points into the original certificate structure, and thus
you may not deallocate the certificate and continue to access dn.

gnutls_x509_crl_init ()

This function will initialize a CRL structure. CRL stands for
Certificate Revocation List. A revocation list usually contains
lists of certificate serial numbers that have been revoked by an
Authority. The revocation lists are always signed with the
authority's private key.

gnutls_x509_crl_get_issuer_dn ()

This function will copy the name of the CRL issuer in the provided
buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
described in RFC4514. The output string will be ASCII or UTF-8
encoded, depending on the certificate data.

gnutls_x509_crl_get_issuer_dn_by_oid ()

This function will extract the part of the name of the CRL issuer
specified by the given OID. The output will be encoded as described
in RFC4514. The output string will be ASCII or UTF-8 encoded,
depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is (0), this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC4514 -- in
hex format with a '#' prefix. You can check about known OIDs
using gnutls_x509_dn_oid_known().

If buf is null then only the size will be filled.

crl :

should contain a gnutls_x509_crl_t structure

oid :

holds an Object Identified in null terminated string

indx :

In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.

raw_flag :

If non-zero returns the raw DER data of the DN part.

buf :

a pointer to a structure to hold the peer's name (may be null)

sizeof_buf :

initially holds the size of buf

Returns :

GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
not long enough, and in that case the sizeof_buf will be updated
with the required size, and 0 on success.

gnutls_x509_crl_get_authority_key_id ()

This function will return the CRL authority's key identifier. This
is obtained by the X.509 Authority Key identifier extension field
(2.5.29.35). Note that this function
only returns the keyIdentifier field of the extension and
GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains
the name and serial number of the certificate. In that case
gnutls_x509_crl_get_authority_key_gn_serial() may be used.

gnutls_x509_crl_get_extension_info ()

This function will return the requested extension OID in the CRL,
and the critical flag for it. The extension OID will be stored as
a string in the provided buffer. Use
gnutls_x509_crl_get_extension_data() to extract the data.

If the buffer provided is not long enough to hold the output, then
*sizeof_oid is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be
returned.

gnutls_x509_crl_set_authority_key_id ()

This function will set the CRL's authority key ID extension. Only
the keyIdentifier field can be set with this function. This may
be used by an authority that holds multiple private keys, to distinguish
the used key.

If set a signer does not have to be
a certificate authority. This flag should normaly be disabled,
unless you know what this means.

GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT

Allow trusted CA certiﬁcates
with version 1. This is safer than GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT,
and should be used instead. That way only signers in your trusted list
will be allowed to have certiﬁcates of version 1. This is the default.

GNUTLS_VERIFY_DO_NOT_ALLOW_SAME

If a certificate is not signed by
anyone trusted but exists in the trusted CA list do not treat it
as trusted.

GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT

Allow CA certificates that
have version 1 (both root and intermediate). This might be
dangerous since those haven't the basicConstraints
extension. Must be used in combination with
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT.

GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2

Allow certificates to be signed
using the broken MD2 algorithm.

GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5

Allow certificates to be signed
using the broken MD5 algorithm.

GNUTLS_VERIFY_DISABLE_TIME_CHECKS

Disable checking of activation
and expiration validity periods of certificate chains. Don't set
this unless you understand the security implications.

GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS

If set a signer in the trusted
list is never checked for expiration or activation.

GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT

Do not allow trusted CA
certificates that have version 1. This option is to be used
to deprecate all certificates of version 1.

GNUTLS_VERIFY_DISABLE_CRL_CHECKS

Disable checking for validity
using certificate revocation lists or the available OCSP data.

GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN

A certificate chain is tolerated
if unsorted (the case with many TLS servers out there). This is the
default since GnuTLS 3.1.4.

This function will try to verify the given certificate list and
return its status. If no flags are specified (0), this function
will use the basicConstraints (2.5.29.19) PKIX extension. This
means that only a certificate authority is allowed to sign a
certificate.

You must also check the peer's name in order to check if the verified
certificate belongs to the actual peer.

The certificate verification output will be put in verify and will
be one or more of the gnutls_certificate_status_t enumerated
elements bitwise or'd. For a more detailed verification status use
gnutls_x509_crt_verify() per list element.

cert_list :

is the certificate list to be verified

cert_list_length :

holds the number of certificate in cert_list

CA_list :

is the CA list which will be used in verification

CA_list_length :

holds the number of CA certificate in CA_list

CRL_list :

holds a list of CRLs.

CRL_list_length :

the length of CRL list.

flags :

Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

gnutls_x509_crl_verify ()

This function will try to verify the given crl and return its status.
See gnutls_x509_crt_list_verify() for a detailed description of
return values. Note that since GnuTLS 3.1.4 this function includes
the time checks.

crl :

is the crl to be verified

CA_list :

is a certificate list that is considered to be trusted one

CA_list_length :

holds the number of CA certificates in CA_list

flags :

Flags that may be used to change the verification algorithm. Use OR of the gnutls_certificate_verify_flags enumerations.

gnutls_x509_crt_get_key_purpose_oid ()

This function will extract the key purpose OIDs of the Certificate
specified by the given index. These are stored in the Extended Key
Usage extension (2.5.29.37) See the GNUTLS_KP_* definitions for
human readable names.

If oid is null then only the size will be filled. The oid
returned will be null terminated, although oid_size will not
account for the trailing null.

gnutls_x509_privkey_import_pkcs8 ()

This function will convert the given DER or PEM encoded PKCS8 2.0
encrypted key to the native gnutls_x509_privkey_t format. The
output will be stored in key. Both RSA and DSA keys can be
imported, and flags can only be used to indicate an unencrypted
key.

The password can be either ASCII or UTF-8 in the default PBES2
encryption schemas, or ASCII for the PKCS12 schemas.

If the Certificate is PEM encoded it should have a header of
"ENCRYPTED PRIVATE KEY", or "PRIVATE KEY". You only need to
specify the flags if the key is DER encoded, since in that case
the encryption status cannot be auto-detected.

gnutls_x509_privkey_get_key_id ()

This function will return a unique ID that depends on the public key
parameters. This ID can be used in checking whether a certificate
corresponds to the given key.

If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned. The output will normally be a SHA-1 hash output,
which is 20 bytes.

key :

Holds the key

flags :

should be 0 for now

output_data :

will contain the key ID

output_data_size :

holds the size of output_data (and will be
replaced by the actual size of parameters)

gnutls_x509_privkey_export_pkcs8 ()

This function will export the private key to a PKCS8 structure.
Both RSA and DSA keys can be exported. For DSA keys we use
PKCS 11 definitions. If the flags do not specify the encryption
cipher, then the default 3DES (PBES2) will be used.

The password can be either ASCII or UTF-8 in the default PBES2
encryption schemas, or ASCII for the PKCS12 schemas.

If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned.

If the structure is PEM encoded, it will have a header
of "BEGIN ENCRYPTED PRIVATE KEY" or "BEGIN PRIVATE KEY" if
encryption is not used.

key :

Holds the key

format :

the format of output params. One of PEM or DER.

password :

the password that will be used to encrypt the key.

flags :

an ORed sequence of gnutls_pkcs_encrypt_flags_t

output_data :

will contain a private key PEM or DER encoded

output_data_size :

holds the size of output_data (and will be
replaced by the actual size of parameters)

Returns :

In case of failure a negative error code will be
returned, and 0 on success.

gnutls_x509_crq_get_dn ()

This function will copy the name of the Certificate request subject
to the provided buffer. The name will be in the form
"C=xxxx,O=yyyy,CN=zzzz" as described in RFC 2253. The output string
buf will be ASCII or UTF-8 encoded, depending on the certificate
data.

gnutls_x509_crq_get_dn_by_oid ()

This function will extract the part of the name of the Certificate
request subject, specified by the given OID. The output will be
encoded as described in RFC2253. The output string will be ASCII
or UTF-8 encoded, depending on the certificate data.

Some helper macros with popular OIDs can be found in gnutls/x509.h
If raw flag is (0), this function will only return known OIDs as
text. Other OIDs will be DER encoded, as described in RFC2253 --
in hex format with a '#' prefix. You can check about known OIDs
using gnutls_x509_dn_oid_known().

crq :

should contain a gnutls_x509_crq_t structure

oid :

holds an Object Identified in null terminated string

indx :

In case multiple same OIDs exist in the RDN, this specifies
which to send. Use (0) to get the first one.

gnutls_x509_crq_set_dn_by_oid ()

This function will set the part of the name of the Certificate
request subject, specified by the given OID. The input string
should be ASCII or UTF-8 encoded.

Some helper macros with popular OIDs can be found in gnutls/x509.h
With this function you can only set the known OIDs. You can test
for known OIDs using gnutls_x509_dn_oid_known(). For OIDs that are
not known (by gnutls) you should properly DER encode your data, and
call this function with raw_flag set.

gnutls_x509_crq_get_key_purpose_oid ()

This function will extract the key purpose OIDs of the Certificate
specified by the given index. These are stored in the Extended Key
Usage extension (2.5.29.37). See the GNUTLS_KP_* definitions for
human readable names.

gnutls_x509_crq_get_extension_info ()

This function will return the requested extension OID in the
certificate, and the critical flag for it. The extension OID will
be stored as a string in the provided buffer. Use
gnutls_x509_crq_get_extension_data() to extract the data.

If the buffer provided is not long enough to hold the output, then
*sizeof_oid is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be
returned.

gnutls_x509_crq_get_attribute_info ()

This function will return the requested attribute OID in the
certificate, and the critical flag for it. The attribute OID will
be stored as a string in the provided buffer. Use
gnutls_x509_crq_get_attribute_data() to extract the data.

If the buffer provided is not long enough to hold the output, then
*sizeof_oid is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be
returned.

gnutls_x509_crq_get_key_id ()

This function will return a unique ID that depends on the public key
parameters. This ID can be used in checking whether a certificate
corresponds to the given private key.

If the buffer provided is not long enough to hold the output, then
*output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will
be returned. The output will normally be a SHA-1 hash output,
which is 20 bytes.

pointer to output integer indicating CA status, may be NULL,
value is 1 if the certificate CA flag is set, 0 otherwise.

pathlen :

pointer to output integer indicating path length (may be
NULL), non-negative error codes indicate a present pathLenConstraint
field and the actual value, -1 indicate that the field is absent.

Returns :

If the certificate is a CA a positive value will be
returned, or (0) if the certificate does not have CA flag set.
A negative error code may be returned in case of errors. If the
certificate does not contain the basicConstraints extension
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since 2.8.0

gnutls_x509_crq_get_subject_alt_name ()

This function will return the alternative names, contained in the
given certificate. It is the same as
gnutls_x509_crq_get_subject_alt_name() except for the fact that it
will return the type of the alternative name in ret_type even if
the function fails for some reason (i.e. the buffer provided is
not enough).

specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)

ret :

is the place where the otherName OID will be copied to

ret_size :

holds the size of ret.

Returns :

the alternative subject name type on success, one of the
enumerated gnutls_x509_subject_alt_name_t. For supported OIDs,
it will return one of the virtual (GNUTLS_SAN_OTHERNAME_*) types,
e.g. GNUTLS_SAN_OTHERNAME_XMPP, and GNUTLS_SAN_OTHERNAME for
unknown OIDs. It will return GNUTLS_E_SHORT_MEMORY_BUFFER if
ret_size is not large enough to hold the value. In that case
ret_size will be updated with the required size. If the
certificate does not have an Alternative name with the specified
sequence number and with the otherName type then
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.